b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                     Significant Delays Hindered Efforts to\n                   Provide Continuous Monitoring of Security\n                      Settings on Computer Workstations\n\n\n\n                                        January 24, 2013\n\n                              Reference Number: 2013-20-016\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.treasury.gov/tigta\n\x0c                                                HIGHLIGHTS\n\n\nSIGNIFICANT DELAYS HINDERED                         issues were identified and addressed. However,\nEFFORTS TO PROVIDE CONTINUOUS                       the Treasury Enhanced Security Initiatives\nMONITORING OF SECURITY SETTINGS                     project has experienced several delays, and the\nON COMPUTER WORKSTATIONS                            project\xe2\x80\x99s oversight board did not take required\n                                                    actions to manage the delays or the associated\n                                                    costs. The IRS was scheduled to deploy the\nHighlights                                          security tools in December 2010 but now plans\n                                                    to complete the deployment in May 2013.\nFinal Report issued on January 24, 2013             WHAT TIGTA RECOMMENDED\nHighlights of Reference Number: 2013-20-016         TIGTA recommended that the Chief Technology\nto the Internal Revenue Service Chief               Officer direct the Cybersecurity and Privacy\nTechnology Officer.                                 Governance Board to: 1) review total actual life\n                                                    cycle costs for projects at least quarterly and\nIMPACT ON TAXPAYERS                                 review variances between actual costs and the\n                                                    originally proposed estimated costs, 2) manage\nEffective continuous monitoring of computer         costs by considering the postponement of\nworkstations allows security issues to be           projects with long-term delays, and 3) escalate\nidentified and mitigated promptly, reducing the     ongoing project delays to the higher level\nlikelihood of a security breach. When IRS data      Security Services and Privacy Executive\nand its network are not secured, taxpayer           Steering Committee.\ninformation becomes vulnerable to unauthorized\ndisclosure and theft. Furthermore, security         The IRS agreed with TIGTA\xe2\x80\x99s recommendations\nbreaches can cause network disruptions and          and plans to review information technology\nprevent the IRS from performing vital taxpayer      projects\xe2\x80\x99 life cycle costs, consider postponing\nservices, such as processing tax returns, issuing   those projects with long-term delays, and\nrefunds, and answering taxpayer inquires. In        escalate delays to the higher level Security\naddition, the IRS collects vast quantities of       Services and Privacy Executive Steering\npersonal and financial information that can be      Committee.\ntargeted for identity theft.\nWHY TIGTA DID THE AUDIT\nThe overall objective of this review was to\ndetermine whether the IRS is effectively and\nefficiently implementing its continuous\nmonitoring tool to monitor security settings on\nemployee workstations and laptop computers.\nThis audit was included in TIGTA\xe2\x80\x99s Fiscal\nYear 2012 Annual Audit Plan and addresses the\nmajor management challenge of Security for\nTaxpayer Data and Employees.\nWHAT TIGTA FOUND\nThe Treasury Enhanced Security Initiatives\nproject, which includes the continuous\nmonitoring tool for workstation security, will\naddress several computer security weaknesses.\nThe IRS appropriately acquired the project\xe2\x80\x99s\nmultiple software components, and the project\nteam completed key documentation during the\ndevelopment process, ensuring that critical\n\x0c                                             DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            January 24, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                  (for) Michael E. McKenney\n                              Acting Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 Significant Delays Hindered Efforts to Provide\n                              Continuous Monitoring of Security Settings on Computer Workstations\n                              (Audit # 201220008)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS) continuous\n monitoring efforts on computer workstations. The overall objective of this review was to\n determine whether the IRS is effectively and efficiently implementing its continuous monitoring\n tool to monitor security settings on employee workstations and laptop computers. This audit was\n included in the Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal Year 2012 Annual\n Audit Plan and addresses the major management challenge of Security for Taxpayer Data and\n Employees. This audit was also part of our statutory requirement to annually review the\n adequacy and security of IRS technology.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VII.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services).\n\x0c                                           Significant Delays Hindered Efforts to\n                                         Provide Continuous Monitoring of Security\n                                            Settings on Computer Workstations\n\n\n\n\n                                             Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          The Treasury Enhanced Security Initiatives Project Will\n          Address Several Computer Security Weaknesses on\n          Employee Workstations ................................................................................ Page 3\n          The Treasury Enhanced Security Initiatives Project\n          Completed Key Documentation and Properly Acquired\n          the Software .................................................................................................. Page 4\n          The Treasury Enhanced Security Initiatives Project\n          Experienced Several Delays ......................................................................... Page 6\n          The Cybersecurity and Privacy Governance Board Did\n          Not Take Required Actions to Manage Project Delays ................................ Page 7\n                    Recommendations 1 through 3:........................................... Page 8\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 9\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 11\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 12\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................ Page 13\n          Appendix V \xe2\x80\x93 Symantec Risk Automation Suite Diagram .......................... Page 14\n          Appendix VI \xe2\x80\x93 Glossary of Terms ................................................................ Page 15\n          Appendix VII \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ..................... Page 20\n\x0c          Significant Delays Hindered Efforts to\n        Provide Continuous Monitoring of Security\n           Settings on Computer Workstations\n\n\n\n\n              Abbreviations\n\nFDCC    Federal Desktop Core Configuration\nIRS     Internal Revenue Service\nIT      Information Technology\nNIST    National Institute of Standards and Technology\nOMB     Office of Management and Budget\nSCAP    Secure Content Automation Protocol\nSRAS    Symantec Risk Automation Suite\nTESI    Treasury Enhanced Security Initiatives\nTIGTA   Treasury Inspector General for Tax Administration\n\x0c                                 Significant Delays Hindered Efforts to\n                               Provide Continuous Monitoring of Security\n                                  Settings on Computer Workstations\n\n\n\n\n                                       Background\n\nGovernment computer systems are subject to a variety of threats. According to the Government\nAccountability Office, cyber-based1 threats to Federal systems and critical infrastructure are\nevolving and growing.2 These threats can be intentional or unintentional, targeted or\nnontargeted, and come from a variety of sources, including criminals, terrorists, and other\nadversarial groups, as well as hackers and disgruntled employees. The motivations for these\nthreats\xe2\x80\x94both external and internal\xe2\x80\x94include causing disruption, committing fraud, and\nperforming identity theft. Security protections cannot prevent all attacks, but they can reduce the\nopportunities that attackers have to gain access to a computer or to damage the computer\xe2\x80\x99s\nsoftware or information. At the Internal Revenue Service (IRS), security breaches can cause\nnetwork disruptions and prevent the IRS from performing vital taxpayer services, such as\nprocessing tax returns, issuing refunds, and answering taxpayer inquires. In addition, the IRS\ncollects vast quantities of personal and financial information that can be targeted for identity\ntheft. Security settings on computer systems should be monitored and maintained continuously\nso that security weaknesses can be identified and mitigated promptly, reducing the likelihood of\na security breach. When IRS data and its network are not secured, taxpayer information\nbecomes vulnerable to unauthorized disclosure and theft.\nIn March 2007, the Office of Management and Budget (OMB)\nlaunched the Federal Desktop Core Configuration (FDCC)                 The IRS is required to\ninitiative,3 setting forth requirements for establishing standard      continuously monitor\nsecure configurations on Federal workstations running the               security settings on\nWindows\xc2\xae Vista and Windows XP operating systems. The                  computer workstations\nFDCC was later updated to include security configuration              to identify and address\n                                                                       security settings that\nsettings for the Windows 7 operating system. Two main goals              have been altered.\nof the FDCC are to improve information security and reduce\noverall information technology operating costs by providing a\nbaseline level of security configuration settings. When these settings are maintained on\ncomputer systems, less time and money is spent eradicating malware, restoring systems from\nbackups, and reinstalling operating systems and applications. A reduction in vulnerability\nexposure is also achieved.\n\n\n\n1\n  See Appendix VI for a glossary of terms.\n2\n  Government Accountability Office, GAO-10-202, Agencies Need to Implement Federal Desktop Core\nConfiguration Requirements, 3 (2010).\n3\n  Office of Management and Budget, OMB Memorandum M-07-11, Implementation of Commonly Accepted Security\nConfigurations for Windows Operating Systems (2007).\n                                                                                               Page 1\n\x0c                                 Significant Delays Hindered Efforts to\n                               Provide Continuous Monitoring of Security\n                                  Settings on Computer Workstations\n\n\n\nThe OMB required agencies to implement the standard security configurations by February 2008\nand to begin continuous monitoring of these settings in August 2008.4 The OMB required\nagencies to monitor the security settings by using a Secure Content Automation Protocol\n(SCAP)-validated tool with FDCC scanner capability. The tool must be validated by the\nNational Institute of Standards and Technology (NIST).\nThe SCAP approach provides an automated, standardized approach to maintaining the security\nof enterprise systems, such as implementing security configuration baselines, verifying the\npresence of patches, performing continuous monitoring of system security configuration settings,\nexamining systems for signs of compromise, and achieving situational awareness, i.e., being able\nto determine the security posture of systems and the organization at any given time.\nThe IRS is currently addressing the OMB mandates with a tool developed by the Space and\nNaval Warfare Systems Command called the SCAP Compliance Checker. However, this tool\nhas limited functionality, and the IRS is attempting to replace it with more robust technology.\nThese efforts are managed through the IRS\xe2\x80\x99s Treasury Enhanced Security Initiatives (TESI)\nproject. The TESI project is led by officials in the Information Technology (IT) organization\xe2\x80\x99s\nUser and Network Services function. Oversight is provided by the Cybersecurity and Privacy\nGovernance Board, which oversees nonmajor information technology projects and is responsible\nfor ensuring project objectives are met, risks are managed appropriately, and expenditures are\nfiscally sound.5\nThis review was performed at the IRS IT organization offices in New Carrollton, Maryland, and\nin the Treasury Inspector General for Tax Administration (TIGTA) office in Dallas, Texas,\nduring the period January through August 2012. We conducted this performance audit in\naccordance with generally accepted government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objective. We believe the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjective. Detailed information on our audit objective, scope, and methodology is presented in\nAppendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n4\n Office of Management and Budget, OMB Memorandum M-08-22, Guidance on the Federal Desktop Core Configuration (2008).\n5\n Within the IRS IT organization, the following functions have voting representatives on the Cybersecurity and\nPrivacy Governance Board: Applications Development, Cybersecurity, (Architecture and Implementation,\nOperations, and Risk Management Divisions), User and Network Services, Enterprise Operations, and Enterprise\nServices.\n                                                                                                Page 2\n\x0c                                Significant Delays Hindered Efforts to\n                              Provide Continuous Monitoring of Security\n                                 Settings on Computer Workstations\n\n\n\n\n                                 Results of Review\n\nThe Treasury Enhanced Security Initiatives Project Will Address\nSeveral Computer Security Weaknesses on Employee Workstations\nThe SCAP Compliance Checker tool currently being used to monitor security settings allows the\nIRS to achieve a minimum level of compliance with the FDCC mandate. The tool scans for\nFDCC settings and is SCAP-compliant, based on the initial version of the tool that was certified\nby the NIST. However, this compliance checker tool lacks significant capabilities. Specifically,\nthe tool:\n   \xef\x82\xb7   Does not provide remediation capabilities.\n   \xef\x82\xb7   Does not generate reports that present specific FDCC setting deficiencies.\n   \xef\x82\xb7   Does not allow the IRS to identify which workstations have noncompliant configurations\n       or which configurations have been improperly altered.\nKnowing which security settings have been altered on specific computers is crucial because\nsome settings are more significant than others and require immediate attention. For example,\none FDCC setting restricts the undocking of a laptop computer from its docking station. Laptop\ncomputers are designed to be undocked for travel and teleworking purposes. For this reason, the\nundocking security setting is not as significant as others. The IRS would not prioritize fixing this\nlow-risk setting if it was altered on a computer workstation. By contrast, another FDCC setting\nthat blocks users from downloading malicious programs or installing devices onto their\nworkstations is significant and the IRS would prioritize the investigation of changes to this\nsetting. The IRS needs an automated monitoring tool with the capability to identify and report\nboth the specific noncompliant FDCC settings and the workstations that contain the\nnoncompliant settings.\nThe objective of the TESI project is to enable the IRS to fully comply with the OMB mandate\nand implement other key security controls for workstations. The TESI project will be deployed\nin two phases and includes six separate software components. The first phase of the project\nincludes three components:\n   \xef\x82\xb7   The Symantec Risk Automation Suite (SRAS) will use dissolving agents to scan security\n       configurations on computer workstations and identify noncompliant settings on specific\n       workstations. The SRAS tool, once deployed, will perform asset discovery, auditing, and\n       reporting for all IRS workstations. The SRAS will analyze workstations for policy\n       compliance as determined by the FDCC, the NIST, and internal IRS policies. This\n       component will also allow the IRS to prioritize the highest risk workstations for timely\n                                                                                             Page 3\n\x0c                               Significant Delays Hindered Efforts to\n                             Provide Continuous Monitoring of Security\n                                Settings on Computer Workstations\n\n\n\n       remediation. The SRAS will eventually replace the SCAP Compliance Checker tool\n       currently in place at the IRS. See a diagram of the SRAS component in Appendix V.\n   \xef\x82\xb7   The Application Control Solution will allow the IRS to improve system integrity,\n       security, and manageability by classifying known applications as either allowed or\n       disallowed and thereby permit or prevent their execution.\n   \xef\x82\xb7   The Local Security Solution will provide centralized management of local administrative\n       users and groups and allow the IRS to quickly and easily provision these accounts on the\n       network. This component will resolve a current administrator password weakness that\n       the IRS has identified and documented.\nThese components will allow the IRS to better monitor computer workstations on a more\ncontinuous basis, identify high-risk systems for immediate remediation, and provide some\nassurance that employee workstations are secure.\n\nThe Treasury Enhanced Security Initiatives Project Completed Key\nDocumentation and Properly Acquired the Software\n\nKey enterprise life cycle artifacts were properly completed\nThe TESI project team completed the key documentation required by the IRS\xe2\x80\x99s Enterprise Life\nCycle development process. IRS IT organization project teams are required to follow the\nEnterprise Life Cycle development methodology. This approach is used to manage and\nimplement business change through information systems initiatives and provides the artifacts and\nprocesses needed to accomplish business change in a consistent and repeatable manner. An\nimportant objective of the Enterprise Life Cycle is to enhance chances for success by reducing\nrisk and ensuring compliance with internal and external standards and mandates.\nAn example of a key artifact that the TESI project properly completed is the System Deployment\nPlan. This plan defines the detailed set of activities required for the deployment of the TESI\nproject components. We verified that the major sections of this plan were properly completed.\nThe major sections are the site dependency matrix that provides the deployment activities and the\ncorresponding responsible organizations, the roles and responsibilities section that identifies the\nroles and individuals responsible for deployment and testing activities at each site, and the site\ndeployment schedule that provides a comprehensive list of the deployment activities with start\nand completion dates and durations.\nFurthermore, the TESI project\xe2\x80\x99s Enterprise Life Cycle test plans are comprehensive and include\nthe required details.\n   \xef\x82\xb7   The System Test Plan includes testing system controls surrounding the TESI project and\n       includes policy checker and vulnerability scans.\n\n\n                                                                                            Page 4\n\x0c                               Significant Delays Hindered Efforts to\n                             Provide Continuous Monitoring of Security\n                                Settings on Computer Workstations\n\n\n\n   \xef\x82\xb7   The End-of-Test Completion report indicates the project plans to document and follow\n       through on test results.\n   \xef\x82\xb7   The Deployment Site Readiness Test plan indicates the project plans to conduct ongoing\n       testing as the TESI project components are rolled-out to the various deployment sites.\nThe IRS was starting to test the TESI project components at the end of our fieldwork. However,\nour review of the TESI project test plans and early test results indicate the planned testing is\nmore extensive than what is currently required by the IRS Cybersecurity function. Furthermore,\nthe testing documentation is thorough and complete.\n\nStakeholders were involved in the design and development of the TESI project\nThe TESI Project Management team involved its key stakeholders in the design and\ndevelopment processes. The TESI project team held weekly meetings that included key\nstakeholders from the User and Network Services function, the Enterprise Services function, and\nthe Enterprise System Management team in the Enterprise Operations function. These\nstakeholders provided comments on the Enterprise Life Cycle artifacts and documentation and\ninformally communicated with the TESI project team frequently. This collaboration is important\nwhen deploying enterprise-wide software tools that require resource alignment and coordination\nbetween functions.\n\nThe TESI project software components were properly acquired\nThe IRS properly acquired the SRAS component of the TESI project from the General Services\nAdministration\xe2\x80\x99s SmartBUY program, which pre-negotiates prices for the Federal Government\nin order to achieve maximum cost savings and the best quality for commodity software. The IRS\nalso properly acquired the Local Security Solution and Application Control Solution components\nthrough the National Aeronautics and Space Administration Solutions for Enterprise-Wide\nProcurement contract. This contract also provides pre-competed discounted prices on\ninformation technology products for use by all Federal agencies. In addition, all three Phase 1\nTESI project components were approved to be added to the IRS\xe2\x80\x99s Enterprise Standards Profile,\nwhich is the official list of information technology standards and approved software products at\nthe IRS.\n\nThe SRAS component is SCAP-validated\nWe also determined that the SRAS component of the TESI project was validated by the NIST as\na SCAP-compliant tool in accordance with the OMB\xe2\x80\x99s August 2008 mandate. This means the\nSRAS uses the standardized format and nomenclature by which security software products\ncommunicate software flaws and security configuration information. The SRAS utilizes the\nSCAP to organize, express, and measure security-related information in standardized ways,\nincluding unique identifiers for vulnerabilities. Furthermore, the SRAS was deployed\n\n                                                                                          Page 5\n\x0c                               Significant Delays Hindered Efforts to\n                             Provide Continuous Monitoring of Security\n                                Settings on Computer Workstations\n\n\n\nsuccessfully at the U.S. Department of Health and Human Services, another large Federal agency\nwith a geographically dispersed network.\n\nThe Treasury Enhanced Security Initiatives Project Experienced\nSeveral Delays\nWhile the IRS completed and documented the Enterprise Life Cycle processes to develop the\nTESI project components, the project experienced several delays that affected its timely\ndeployment.\nCustomer Account Data Engine, Version 2 \xe2\x80\x93 The Enterprise Operations function was\nresponsible for ensuring the Customer Account Data Engine 2 system would operate as intended\nduring the 2012 Filing Season. The mission of the Customer Account Data Engine 2 Program is\nto provide state-of-the-art individual taxpayer account processing and technologies to improve\nservice to taxpayers and enhance tax administration. Once complete, the new modernized\nenvironment should allow the IRS to more effectively and efficiently update taxpayer accounts,\nsupport account settlement and maintenance, and process refunds on a daily basis. This\nhigh-profile modernization project was the top information technology priority for the IRS and\nconsumed significant resources in the Enterprise Operations function in Calendar Years 2011\nand 2012. Several information technology projects at the IRS were affected, including the TESI\nproject, because the projects depend on the Enterprise Operations function to establish\nfoundational infrastructure, such as the Symantec Management Platform discussed in detail\nbelow.\nSymantec Infrastructure Upgrade \xe2\x80\x93 As the IRS prepared to upgrade its infrastructure from\nAltiris 6.9 to Symantec Management Platform version 7.0 in April 2011, officials from the\nSymantec Corporation notified the IRS that version 7.0 had several problems that required\nresolution before the IRS could deploy the upgrade on its network. The IRS had to delay this\ninfrastructure upgrade until the Symantec Corporation released its Symantec Management\nPlatform version 7.1, which the IRS approved for deployment in May 2011. However, as of\nAugust 2012, 16 months after the planned upgrade, the IRS has not successfully deployed and\nstabilized version 7.1.\nAt the end of Calendar Year 2011, Enterprise Operations function officials began working with\ncontractors from the Symantec Corporation on a daily basis to resolve the Symantec\nManagement Platform version 7.1 performance issues. Symantec and Enterprise Operations\nfunction officials determined on January 5, 2012, that the Symantec Management Platform was\nnot operating as intended because the IRS\xe2\x80\x99s virtualized server environment could not provide the\nrequired input/output speeds that are necessary for the Symantec Management Platform to\nfunction properly. Symantec Corporation reiterated the required resources for the platform and\nrecommended physical structured query language servers be used instead of virtualized servers.\n\n\n                                                                                         Page 6\n\x0c                               Significant Delays Hindered Efforts to\n                             Provide Continuous Monitoring of Security\n                                Settings on Computer Workstations\n\n\n\nThe Enterprise Operations function agreed with the recommendation but has not installed the\nphysical servers as of August 2012.\nFiling Season Moratoriums \xe2\x80\x93 The IRS establishes a filing season moratorium each year to\nstabilize its information technology production environment during peak tax return processing\ntimes. During the moratorium, no changes to the information technology environment are\nallowed to be implemented without executive approval. The TESI project experienced delays\ndue to two separate filing season moratoriums in effect from November 30, 2010, through\nMay 23, 2011, and from November 1, 2011, through May 21, 2012.\nThe cumulative effect of these delays resulted in the IRS acquiring software licenses for each\ncomponent of the TESI project that have not yet been implemented. As of August 2012, the IRS\nhas paid $687,180 for license renewal and maintenance fees that expire in September 2012 for\nproducts that are not yet deployed.\n\nThe Cybersecurity and Privacy Governance Board Did Not Take\nRequired Actions to Manage Project Delays\nThe Cybersecurity and Privacy Governance Board held its first meeting in November 2009 with\na charter to resolve project issues; manage cost, schedule, and scope variances; and escalate any\nunresolved issues to the higher level Security Services and Privacy Executive Steering\nCommittee. However, this Board did not take these actions to address the delays that the TESI\nproject encountered.\nIn March 2011, the TESI project first reported to the Cybersecurity and Privacy Governance\nBoard that significant delays were hindering the project from deploying on time, and the project\nneeded a new baseline. Specifically, the delay in upgrading the Symantec Management\nPlatform, which we explained earlier in this report, was reported. The same delay was then\nreported to the Board on a regular basis for the next 16 months, through July 2012, but the Board\ndid not take actions to manage the costs associated with the delay or approve a new baseline for\nthe project until the July 2012 meeting. Considering the TESI project was originally scheduled\nto deploy the SRAS in December 2010, the project continued to operate for 19 months without\nan approved baseline, from December 2010 to July 2012. Additionally, at no point did the Board\nrequest the TESI project to report its total life cycle costs. This action would have allowed the\nBoard to analyze cost variances against the original planned cost at the start of the project and\nthe actual and revised estimated costs. Finally, the Board did not escalate the significant delays\nto the higher level Executive Steering Committee.\nThe Cybersecurity and Privacy Governance Board Chair informed us that the Board did not\nconsider postponing the project to conserve funds for other information technology projects. The\nBoard mistakenly assumed that the Enterprise Operations function would provide the support\nthat the TESI project needed in the following month. However, at the end of our fieldwork, in\nAugust 2012, the Enterprise Operations function still had not installed the physical servers or\n\n                                                                                           Page 7\n\x0c                                      Significant Delays Hindered Efforts to\n                                    Provide Continuous Monitoring of Security\n                                       Settings on Computer Workstations\n\n\n\nstabilized the Symantec Management Platform infrastructure. Furthermore, the IRS paid\ncontractors $1,151,939 for TESI project support from December 2010, the original SRAS\ndeployment date, through April 2012.6 The TESI project currently plans to deploy its Phase 1\ncomponents in May 2013.\n\nRecommendations\nThe Chief Technology Officer should direct the Cybersecurity and Privacy Governance Board\nto:\nRecommendation 1: Review total actual life cycle costs for projects at least quarterly and\nreview variances between actual costs and the originally proposed estimated costs.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n           Cybersecurity and Privacy Governance Board will review total actual life cycle costs for\n           projects at least quarterly and review variances between actual costs and estimated costs.\nRecommendation 2: Manage costs by considering the postponement of projects with\nlong-term delays.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n           Cybersecurity and Privacy Governance Board will consider postponing projects with\n           long-term delays and will present its recommendation for postponement to the\n           higher level governance board, the Security Services and Privacy Executive Steering\n           Committee, for concurrence.\nRecommendation 3: Escalate ongoing project delays to the Security Services and Privacy\nExecutive Steering Committee, as required by its charter.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n           Cybersecurity and Privacy Governance Board will escalate ongoing delays that cannot be\n           resolved to the higher level governance board, the Security Services and Privacy\n           Executive Steering Committee, for resolution.\n\n\n\n\n6\n    See Appendix IV for more details.\n                                                                                               Page 8\n\x0c                                       Significant Delays Hindered Efforts to\n                                     Provide Continuous Monitoring of Security\n                                        Settings on Computer Workstations\n\n\n\n                                                                                      Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS is effectively and\nefficiently implementing its continuous monitoring tool to monitor security settings on employee\nworkstations and laptop computers. To accomplish our objective, we:\nI.         Evaluated the continuous monitoring capability that is currently in place for workstations\n           and determined whether the SRAS1 will provide the OMB-mandated functionality once\n           implemented.\n           A. Reviewed the performance and functionality of the Space and Naval Warfare Systems\n              Command\xe2\x80\x99s SCAP Compliance Checker tool currently in place at the IRS to\n              identify weaknesses in the tool, and confirmed that the NIST approved it to be\n              SCAP-compliant.\n           B. Determined whether the SRAS system will provide the OMB-mandated functionality\n              for scanning and monitoring security configurations, once deployed, and determined\n              whether the tool is NIST-validated.\nII.        Determined whether the IRS properly and efficiently procured a SCAP-validated\n           workstation configuration monitoring tool.\n           A. Determined whether the SRAS component and any related contract support services\n              met the requirements for the General Services Administration\xe2\x80\x99s SmartBUY program\n              and other Federal purchasing programs by obtaining and analyzing acquisition\n              documentation and program requirements.\n           B. Interviewed the appropriate contracting officer and TESI project management to\n              obtain explanations of the acquisition processes that were followed.\n           C. Determined whether premature acquisition of tools, licenses, infrastructure, or\n              services resulted in wasted funds.\nIII.       Determined whether the IRS has effectively managed the TESI project to implement the\n           SRAS within its budget and schedule.\n           A. Determined whether the TESI project was properly classified as a nonmajor\n              acquisition per relevant regulations.\n\n\n\n1\n    See Appendix VI for a glossary of terms.\n                                                                                                Page 9\n\x0c                              Significant Delays Hindered Efforts to\n                            Provide Continuous Monitoring of Security\n                               Settings on Computer Workstations\n\n\n\n       B. Determined whether the TESI project followed the correct Enterprise Life Cycle path;\n          properly and timely completed key Enterprise Life Cycle deliverables, artifacts, and\n          processes; ensured that major stakeholders were actively involved throughout the\n          project development phases, especially during critical review processes such as\n          Customer Technical Reviews, Life Cycle Stage reviews, and Milestone Readiness\n          reviews; and timely and properly conducted Milestone Readiness Reviews and\n          Milestone Exit Reviews, which are mandatory for all projects.\n       C. Identified the deadlines for implementing the SRAS and evaluated the TESI project\xe2\x80\x99s\n          success in meeting the deadlines. We also determined whether the IRS rebaselined\n          the TESI project in accordance with OMB guidance and determined the number of\n          times the project was officially rebaselined.\n       D. Determined the cause and effect of the delays the IRS experienced in implementing\n          the SRAS. We interviewed TESI project management, Enterprise Operations\n          function officials, and the Chair of the Cybersecurity and Privacy Governance Board\n          to quantify delays and their causes. We reviewed Board meeting minutes to\n          determine whether the delays, along with the cause and effect, were timely reported\n          to the Board, and evaluated the Board\xe2\x80\x99s actions to address the delays.\n       E. Determined the overall TESI project costs to date and estimated costs remaining for\n          implementation.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the OMB, the NIST, and related IRS\nguidelines for continuous monitoring of security configurations on computer workstations and\nthe IRS\xe2\x80\x99s efforts to implement these controls in order to protect the IRS network and data. We\nevaluated these controls by conducting interviews and meetings with TESI project management\nand security staff at the IRS responsible for addressing noncompliant workstations. We also\nreviewed software and contractor support acquisitions for the TESI project, as well as related\nIRS processes and regulatory requirements information.\n\n\n\n\n                                                                                       Page 10\n\x0c                              Significant Delays Hindered Efforts to\n                            Provide Continuous Monitoring of Security\n                               Settings on Computer Workstations\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nW. Allen Gray, Audit Manager\nJena R. Whitley, Lead Auditor\nCharles O. Ekunwe, Senior Auditor\nMary L. Jankowski, Senior Auditor\nLinda L. Nethery, Information Technology Specialist\n\n\n\n\n                                                                                     Page 11\n\x0c                            Significant Delays Hindered Efforts to\n                          Provide Continuous Monitoring of Security\n                             Settings on Computer Workstations\n\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nDirector, Office of Research, Analysis, and Statistics RAS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 12\n\x0c                                Significant Delays Hindered Efforts to\n                              Provide Continuous Monitoring of Security\n                                 Settings on Computer Workstations\n\n\n\n                                                                                 Appendix IV\n\n                                Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xef\x82\xb7   Inefficient Use of Resources \xe2\x80\x93 Potential; $1,151,939 in contractor support services (see\n    page 7).\n\nMethodology Used to Measure the Reported Benefit:\nThe IRS spent $1,151,939 on contractor support services for the TESI project from its original\nDecember 2010 planned deployment of the SRAS component through April 2012. The TIGTA\xe2\x80\x99s\nrecommendation to the Cybersecurity and Privacy Governance Board to manage project costs\nand consider postponing projects with long-term delays will enable the IRS to improve its\nprocess to more efficiently manage information technology project resources.\n\n\n\n\n                                                                                          Page 13\n\x0c                                   Significant Delays Hindered Efforts to\n                                 Provide Continuous Monitoring of Security\n                                    Settings on Computer Workstations\n\n\n\n                                                                                            Appendix V\n\n            Symantec Risk Automation Suite Diagram\n\n\n\n\nSource: The TIGTA and design artifacts developed by the IRS\xe2\x80\x99s TESI project team. SQL = structured query\nlanguage.\n\n                                                                                                     Page 14\n\x0c                       Significant Delays Hindered Efforts to\n                     Provide Continuous Monitoring of Security\n                        Settings on Computer Workstations\n\n\n\n                                                                       Appendix VI\n\n                      Glossary of Terms\n\n              Term                               Definition\nAcquisition             The process of obtaining products or services through\n                        contractual agreements with outside vendors or contractors.\nAltiris                 Company acquired by Symantec Corporation in 2007.\nApplication             An information technology component of a system that\n                        utilizes information technology resources to store, process,\n                        retrieve, or transmit data or information using information\n                        technology hardware and software.\nArtifact                The tangible result (output) of an activity or task performed by\n                        a project during the Enterprise Life Cycle.\nBaseline                A benchmark that includes project costs, schedule, and scope\n                        against which project performance is measured.\nContractor              An organization external to the IRS that supplies goods and\n                        services according to a formal contract. A contractor is a type\n                        of provider.\nCyber                   Cyber is often used for \xe2\x80\x9celectronic\xe2\x80\x9d or \xe2\x80\x9ccomputer-related.\xe2\x80\x9d\nDissolving Agent        A computer program that is used for collecting data locally at\n                        endpoints without requiring communication back to the\n                        scanner; once data are collected, the agent sends the data back\n                        to the scanner and deletes itself from the endpoint.\nEnterprise              An organization with a defined mission/goal and a defined\n                        boundary, using information systems to execute that mission,\n                        and with responsibility for managing its own risks and\n                        performance. An enterprise may consist of all or some of the\n                        following business aspects: acquisition, program\n                        management, financial management, human resources,\n                        security, information systems, and mission management.\n\n\n\n\n                                                                                Page 15\n\x0c                            Significant Delays Hindered Efforts to\n                          Provide Continuous Monitoring of Security\n                             Settings on Computer Workstations\n\n\n\n\n             Term                                      Definition\nEnterprise Life Cycle        The Enterprise Life Cycle is the approach used by the IRS to\n                             manage and implement business change through information\n                             systems initiatives. The Enterprise Life Cycle provides the\n                             direction, processes, tools, and assets necessary to accomplish\n                             business change in a consistent and repeatable manner.\nFederal Desktop Core         Designed to provide a single standard, enterprise-wide\nConfiguration                managed environment for desktops and laptops by using a\n                             common configuration to improve security and reduce costs.\nGovernance                   The exercise of external control over a project or program by\n                             personnel or organizations that are not part of or directly\n                             associated with the team performing the work on a day-to-day\n                             basis.\nInformation Security         The protection of information and information systems from\n                             unauthorized access, use, disclosure, disruption, modification,\n                             or destruction in order to provide confidentiality, integrity, and\n                             availability.\nInformation Technology       Any equipment or interconnected system or subsystem of\n                             equipment that is used in the automatic acquisition, storage,\n                             manipulation, management, movement, control, display,\n                             switching, interchange, transmission, or reception of data or\n                             information by the executive agency. The term information\n                             technology includes computers, ancillary equipment, software,\n                             firmware and similar procedures, services (including support\n                             services), and related resources.\nMalware (also Malicious      Software or firmware intended to perform an unauthorized\nCode)                        process that will have an adverse impact on the\n                             confidentiality, integrity, or availability of an information\n                             system. A virus, worm, Trojan horse, or other code-based\n                             entity that infects a host. Spyware and some forms of adware\n                             are also examples of malicious code.\nModernization                Modernization is the process of updating, improving, and\n                             bringing in line with modern standards. Modernization is an\n                             IRS program that includes Organization Modernization and\n                             Business System Modernization (processes and technology).\n\n\n                                                                                       Page 16\n\x0c                               Significant Delays Hindered Efforts to\n                             Provide Continuous Monitoring of Security\n                                Settings on Computer Workstations\n\n\n\n\n            Term                                            Definition\nNational Institute of Standards   The NIST, under the Department of Commerce, is responsible\nand Technology                    for developing standards and guidelines for providing\n                                  adequate information security for all Federal Government\n                                  agency operations and assets.\nNetwork                           Information system(s) implemented with a collection of\n                                  interconnected components. Such components may include\n                                  routers, hubs, cabling, telecommunications controllers, key\n                                  distribution centers, and technical control devices.\nNonmajor Project                  A project that meets OMB criteria for nonmajor projects.\nOffice of Management and          Implementation and enforcement arm of Presidential policy\nBudget                            Government-wide that carries out its mission through budget\n                                  development and execution; oversight of agency performance,\n                                  Federal procurement, and financial management; and the\n                                  review of, among other things, all significant Federal\n                                  regulations by executive agencies.\nProject                           A group of tasks to accomplish a specific objective, with a\n                                  beginning and ending date, that is planned, monitored, and\n                                  measured; follows a life cycle process; and results in\n                                  deliverables or end products.\nRelease                           A collection (one or more) of changes made since the last\n                                  deployment of a system. A release can also refer to an initial\n                                  deployment of software or hardware and may or may not be\n                                  used in the context of one or more projects.\nRemediation                       The act of correcting a vulnerability or eliminating a threat\n                                  through activities such as installing a patch, adjusting\n                                  configuration settings, or uninstalling a software application.\nRisk                              The level of impact on agency operations (including mission,\n                                  functions, image, or reputation), agency assets, or individuals\n                                  resulting from the operation of an information system given\n                                  the potential impact of a threat and the likelihood of that threat\n                                  occurring.\nSecurity Content Automation       A method for using specific standards to enable automated\nProtocol                          vulnerability management, measurement, and policy\n                                  compliance evaluation.\n\n                                                                                            Page 17\n\x0c                              Significant Delays Hindered Efforts to\n                            Provide Continuous Monitoring of Security\n                               Settings on Computer Workstations\n\n\n\n\n          Term                                           Definition\nServer                         A physical computer (a computer hardware system) dedicated\n                               to running one or more services (as a host), to serve the needs\n                               of the users of other computers on the network. Depending on\n                               the computing service that it offers, it could be a database\n                               server, file server, mail server, print server, web server,\n                               gaming server, or some other kind of server.\nStructured Query Language      A special-purpose programming language designed for\n                               managing data in relational database management systems.\nSymantec Management            Provides a set of services that information technology-related\nPlatform                       solutions can leverage. Because solutions share the same\n                               platform, they can share platform services as well as data.\n                               This close integration of solutions and the platform makes it\n                               easier to use the different solutions because they work in a\n                               common environment and are administered through a common\n                               interface. Components include role-based security; client\n                               communications and management; event-triggered and\n                               scheduled task and policy execution; file deployment and\n                               installation; reporting; and centralized management through a\n                               single, common interface.\nSymantec Risk Automation       Tool with capabilities that relate directly to the objectives of\nSuite                          the NIST SCAP, a method for using specific standards to\n                               enable automated and integrated vulnerability management\n                               and measurement, and policy compliance evaluation.\n                               Provides continuous and automated information technology\n                               risk metrics.\nSystem                         A discrete set of information resources organized for the\n                               collection, processing, maintenance, use, sharing,\n                               dissemination, or disposition of information. A system\n                               normally includes hardware, software, information, data,\n                               applications, communications, and people.\n\n\n\n\n                                                                                         Page 18\n\x0c                       Significant Delays Hindered Efforts to\n                     Provide Continuous Monitoring of Security\n                        Settings on Computer Workstations\n\n\n\n\n           Term                                  Definition\nThreat                  Any circumstance or event with the potential to adversely\n                        affect organizational operations (including mission, functions,\n                        image, or reputation), organizational assets, or individuals\n                        through an information system via unauthorized access,\n                        destruction, disclosure, modification of information, or denial\n                        of service. Also, the potential for a threat source to\n                        successfully exploit an information system\xe2\x80\x99s vulnerability.\nUser                    Individual, or (system) process acting on behalf of an\n                        individual, authorized to access an information system.\nVirtualized Server      Running applications in separate, isolated partitions (separate\n                        \xe2\x80\x9cvirtual machines\xe2\x80\x9d) within a single server. Widely used in\n                        enterprise and cloud computing data centers, each virtual\n                        machine runs its own operating system and application and\n                        can be moved or copied from one server to another for load\n                        balancing or to expand processing capability.\nVirus                   A piece of programming code usually disguised as something\n                        else that causes some unexpected and, for the victim, usually\n                        undesirable event and which is often designed so it is\n                        automatically spread to other computers.\nVulnerability           Weakness in an information system, system security\n                        procedures, internal controls, or implementation that could be\n                        exploited or triggered by a threat source.\nVulnerability Scan      The process of proactively identifying vulnerabilities of an\n                        information system in order to determine if and where a\n                        system can be exploited or threatened. Employs software that\n                        seeks out security flaws based on a database of known flaws,\n                        tests systems for the occurrence of these flaws, and generates a\n                        report of the findings that an individual or an enterprise can\n                        use to tighten the network\xe2\x80\x99s security.\n\n\n\n\n                                                                                  Page 19\n\x0c            Significant Delays Hindered Efforts to\n          Provide Continuous Monitoring of Security\n             Settings on Computer Workstations\n\n\n\n                                                 Appendix VII\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                       Page 20\n\x0c  Significant Delays Hindered Efforts to\nProvide Continuous Monitoring of Security\n   Settings on Computer Workstations\n\n\n\n\n                                            Page 21\n\x0c  Significant Delays Hindered Efforts to\nProvide Continuous Monitoring of Security\n   Settings on Computer Workstations\n\n\n\n\n                                            Page 22\n\x0c'